GPO not applying to organisation unit in Active Directory

[swpmre]

Hi,

I've just configured and set up a brand new Windows 2008 Server. It's going to be our first AD server.

I've created a couple of test users, and I can logon to a laptop using their username / password, in the newly created domain.

I've created a organisation unit (called student) and moved the users into that OU.

I've then created a GPO, linked it to that OU and setup some test settings (prevent access to Control Panel / hide recycle bin etc etc).

However, when I logon on to the laptop, using a username that is definitely inside that OU, the Group Policy is never applied. I've tried rebooting everything, forcing Group Policy Updates, creating a new GPO from scratch, creating a new user, but nothing works.

Since I am effecitvely following a test lesson from the Fundamentals of Win Server 2008 course that I did a few weeks ago, I cannot see what I am doing wrong. Perhaps there is something else that is not setup correctly that I've forgotten, because everything else seems fine.

Any ideas?

[sted]

do any settings from other policies apply (try making a obvious but minor change to default domain policy see what happens)

also worth running rsop.msc see what policies it thinks it should apply

[swpmre]

Ah. No, made a minor change to the default domain policy and this hasn't been applied.

Any ideas what this might indicate?

[Firefox]

1) I'm guessing you have not blocked Inheritance inheritance anywhere in your structure?

2) Have you filtered the GPO to only to certain users\groups

3) Have you filtered to apply to a particular WMI service?

4) Have you made sure that the policy settings you have made are under User Configuration and not Computer Configuration?

5) Have you made sure the User Configuration is enabled?

6) Check the Group policy ordering, to make sure your policy applies last (top of the list)

when you run a GPRESULT /R does it tell your your policy should be applying?

Also I assume you are operating all in 1 domain? otherwise you might need to consider loopback

[brunanburh]

I have had similar problems and tracked it down to media sense.

Have a look at - How to disable the Media Sensing feature for TCP&#47IP in Windows

It can be weird and affect som machines and not others

[FN-GM]

Are you clients DNS settings pointing to your DC?

[KK20]

<ignore, re read post)

[swpmre]

Thanks FN-GN - That's the one. The laptop was not pointing to this server as the DNS. Seems to work ok now. Cheers everyone for all your positive and thoughtful suggestions.

[FN-GM]

Thanks FN-GN - That's the one. The laptop was not pointing to this server as the DNS. Seems to work ok now. Cheers everyone for all your positive and thoughtful suggestions.

Not a problem, you will probably find the machines will run faster now as well during login and startup.

[RobBaxter]

Nice one FN-GM, was just about to reply with that and saw you beat me to it .

Rule one of Windows AD Domains (check the DNS). Dependant is not the word... Absolutely required so things don't die horibly is more like it. I would say after an install 30% of all problems are DNS related . Also i can't wait to implement IPv6 (*sarcisum*) you just know thats going to completed screw with my DNS for no reason at all